freda_bundc...@nym.hush.com wrote: > Description: > man starttls says one can link a new certificate to cert.pem with > ln -s /etc/ssl/mail.example.com.crt /etc/ssl/cert.pem if one does not > intend
That entire section seems dumb and outdated. I would prefer we simply not give any advice here. Users can figure out what they need to do. Installing the public cert needs to be done on many other machines, not just the one where it's generated. Index: starttls.8 =================================================================== RCS file: /home/cvs/src/share/man/man8/starttls.8,v retrieving revision 1.26 diff -u -p -r1.26 starttls.8 --- starttls.8 27 Jun 2018 05:39:02 -0000 1.26 +++ starttls.8 11 Aug 2019 02:20:01 -0000 @@ -102,18 +102,6 @@ with the following command: .Pp .Dl # openssl x509 -in /etc/ssl/mail.example.com.crt -text .Pp -If you don't intend to use TLS for authentication (and if you are using -self-signed certificates you probably don't) you can simply link -your new certificate to -.Pa cert.pem : -.Pp -.Dl # ln -s /etc/ssl/mail.example.com.crt /etc/ssl/cert.pem -.Pp -If, on the other hand, you intend to use TLS for authentication -you should add your certificate authority bundle to -.Pa /etc/ssl/cert.pem -(or whatever your software expects). -.Pp Because the private key files are unencrypted, MTAs can be picky about using tight permissions on those files. The certificate directory and the files therein should be
